Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can any search head be a search peer to some another search head, making data availability of its search peers on root search head

dishasaxena
Path Finder
‎02-20-2014 02:31 AM

I would like to create an environment where there is a central search head(say A) and various separate search heads are its peer nodes(let one among it is B) which in turn are search head master to multiple indexers(let any indexer C is a search peer of B). I am not able to run commands of these indexers on root search head(I mean search commands of C are not able to run on A). Is it possible to configure? If yes, then how it is feasible.

Tags (1)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎02-20-2014 04:37 AM

I think you are confused on how topology works with Splunk. Give this a look:

http://docs.splunk.com/Documentation/Splunk/6.0.1/Deploy/Distributedoverview

If you need to be able to Search B's internal logs, forward them to the indexers C.

Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎02-21-2014 04:12 AM

Splunk topology says that won't happen. However, have you considered using a reverse proxy? Then you can proxy all the requests from A1 through B1-3 to C1-3.

0 Karma
Reply

dishasaxena
Path Finder
‎02-21-2014 03:28 AM

Consider B1,B2,B3 as search head of different zones. Through search head A(global search head) we want to search for all the zonal data at one place. This assumes that A1 has the connectivity to B1,B2 and B3 only not to C1,C2,C3,etc indexers.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎02-20-2014 08:52 AM

Again, no. Check the doc for distributed searching. Why do you need to have A search B first? Just make C a search peer of A, and then both A and B search C.

Reply

dishasaxena
Path Finder
‎02-20-2014 08:31 AM

I don't want to re-index any data. My question is just this, being a search head B, it can run commands on its search peer C. Then, if I make B as a search peer of a new search head A, somewhat like making an hierarchy, so would have I been able to run commands on C from search head A. You may assume it as multi-level search head. I could not found this approach in any document among the ones I had been through. So, just keen to know if it can be done in this way somehow?

Regards,
Disha

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...